Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
19 January, 2021
Also known as
Arkei
Global rank
20
Week rank
21
Month rank
19
IOCs
6430

What is Vidar / Arkei malware?

Vidar is an information stealer Trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected machines, take screenshots, steal cryptocurrency and more.

General description of Vidar

Vidar is presumed to have originated in a Russian speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another malware that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

Vidar is written in C++ programming language. Purchasing account grants the attacker access to a control panel where the malware can be set up by the cybercriminal to target particular information on the victims’ PC. Similarly to Arkei, Cybercriminals need to take precautions to secure the main payload themselves, using a cryptor or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that domain names which Vidar uses to search for C&C servers, where stolen data is being dropped to, change every four days.

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information including banking and credit card details. In addition, the malware can search for cryptocurrency wallet information, take screenshots and record private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar malware analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

After the user downloads and runs a malicious file it spawns a child process and starts to collect information from the infected device. Often, after the information was collected the malware kills and deletes itself through a command-line command.

How to avoid infection by Vidar?

When spread via spam email campaigns, Vidar stealer requires the user to download and run a malicious file in order to enter an active state and begin execution. Therefore, following some basic online safety rules can ensure that users will stay safe from this malware.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar which uses these attack vectors to infect victims.

The distribution process of Vidar

Like other malware, Vidar / Arkei is distributed through spam email campaigns as a malicious attachment. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar targets users all over the world with the exception of some ex-USSR countries, including Russia.

How to detect Vidar / Arkei using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a highly dangerous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including steal select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures.

IOCs

IP addresses
188.241.39.10
208.95.112.1
88.99.66.31
204.11.56.48
143.204.215.24
78.142.29.203
141.8.192.151
192.99.1.185
185.99.133.4
185.26.105.244
103.116.16.4
5.79.66.145
176.123.10.30
185.38.151.11
169.239.128.99
107.189.10.110
104.244.74.119
104.244.74.119
199.59.242.150
185.50.25.48
Hashes
17350220123af8ceb352b186654c5a2f83a9a1c2fa493df9c7e39be98d226d2a
ba5fe55020976c1a1f5138dc0d533b786317f32cff2b1b05a473ce2f3f9eeb3a
2144fb220b28b646c5b92bcedf1756f531ab35ec61d5389460d0510ad7c47b55
080c75ae9e91d1b0bde8cbc1dffb1d802ed1c6809562de09a573b4e7ba41931a
58c1046e89d30e010cf06d797b4171d4f67c2186eb413048e68884ac37698ac5
30c29e58e71a8e3b2468d14dfdd1624b17af3f5c8ea560bfd1a278c3a513c5a9
1b7bc78836c832c48b86f5c5406741018af99062461b8f4f2f9e55c8fcc076fc
efa239044012a6818ba39c958b0460a5aa11b8faff810fa28f1da59786119988
f0cd7710ff81d06494b7130e510dbdd80503aa290be1cc845f465c068301747c
f4e0441e709cf40336eab317e1c24568bafcc44fc2460ae13153115b94f95b49
4062fd21ab9bbccda0d98e2581a0e9099b8628432afe08b8b684e92d9338025f
b2eccaeb626dd85c0677997286ceaabfe2da1bc06b846856515b44435000e72f
44ff6d294f2a5bd347385b204d5d6e219ce5e785cf567fb48820b0c4aefac4e1
637abbc3ff5e6643ea2765ae8b29764da333f2e35bd6d7eed2ec10d980d7b584
f41ca6cf899af666a30b34216cb9d517e6949a3bcabd104bb2e34c96b48444a6
2684c61736c6a83f68865a3b7f16aeee21833bdd55b07d4c37bafcb4c58ba731
f442978fc81b42558c0ed314753affd41b4754b2e125a453c89ae805bb6f50b0
a1fc4a41a95e2a5ea7ddc417e2bd8154de971d092c25243cee1c90e0c97e38be
f88733cd3c378ba6dadc00b1f7b8ffd592d4889ffb3157b7d70a8347d30fe7fd
4c32e1f716d9c07d672c2fdaa5876040842e9e47752a233b3074a1d4d4fa0454
Domains
isns.net
2no.co
onzcda.com
89gospel.com
grlawcc.com
raytracingengine.com
afirmenet.com
dlwordpress.com
majul.com
the-beauty-guides.com
wallflowersandrakes.com
celebration-studio.com
c11n4.i.teaserguide.com
www.sciencepub123.com
proxyfreaks.com
bookstower.com
ww7.getproxy.jp
ww7.downloadmr.com
furious.devilslife.com
com.htmlwww.youfck.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More